From 885ecf0c6e4994f5d5fe2f34e38e89b3d4e1f50b Mon Sep 17 00:00:00 2001 From: Chad Weider Date: Mon, 3 Jul 2023 14:36:42 -0700 Subject: [PATCH] feat(security): add CSP violation reporting Sentry.io provides a CSP violation reporting endpoint; we should use it. This change adds the environment variable, `SENTRY_REPORT_URI`. If present, it is handed to `django-csp` and used for the `report-uri` directive. Fixes: #287 --- .env.example | 1 + bc/settings/project/security.py | 4 ++++ bc/settings/third_party/sentry.py | 1 + 3 files changed, 6 insertions(+) diff --git a/.env.example b/.env.example index 136d79b0..8ef3966b 100644 --- a/.env.example +++ b/.env.example @@ -41,6 +41,7 @@ RQ_RETRY_INTERVAL=20 # sentry.py SENTRY_DSN="" SENTRY_SAMPLE_TRACE=1.0 +SENTRY_REPORT_URI="" # twitter.py TWITTER_CONSUMER_KEY="" diff --git a/bc/settings/project/security.py b/bc/settings/project/security.py index b27dcd3d..c971ce4a 100644 --- a/bc/settings/project/security.py +++ b/bc/settings/project/security.py @@ -4,6 +4,7 @@ from ..django import DEVELOPMENT, INSTALLED_APPS from ..third_party.aws import AWS_S3_CUSTOM_DOMAIN +from ..third_party.sentry import SENTRY_REPORT_URI env = environ.FileAwareEnv() @@ -30,6 +31,9 @@ AWS_S3_CUSTOM_DOMAIN, "https://newassets.hcaptcha.com/", ) +if SENTRY_REPORT_URI: + CSP_REPORT_URI = SENTRY_REPORT_URI + RATELIMIT_VIEW = "bc.web.views.ratelimited" diff --git a/bc/settings/third_party/sentry.py b/bc/settings/third_party/sentry.py index 921e0c84..b2b27930 100644 --- a/bc/settings/third_party/sentry.py +++ b/bc/settings/third_party/sentry.py @@ -7,6 +7,7 @@ env = environ.FileAwareEnv() SENTRY_DSN = env("SENTRY_DSN", default="") SENTRY_SAMPLE_TRACE = env("SENTRY_SAMPLE_TRACE", default=1.0) +SENTRY_REPORT_URI = env("SENTRY_REPORT_URI", default="") if SENTRY_DSN: